Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
9DescriptionCVE.org
A vulnerability was found in TencentCloudBase CloudBase-MCP up to 2.17.0. Affected is the function openUrl of the file mcp/src/interactive-server.ts of the component open-url API Endpoint. The manipulation of the argument req.body.url results in server-side request forgery. It is possible to launch the attack remotely. The exploit has been made public and could be used. Upgrading to version 2.17.1 is able to address this issue. The patch is identified as 3f678a1e7bd400cd76469d61024097d4920dc6b5. It is recommended to upgrade the affected component.
AnalysisAI
Server-side request forgery (SSRF) in TencentCloudBase CloudBase-MCP through version 2.17.0 allows remote unauthenticated attackers to manipulate the open-url API endpoint by injecting arbitrary URLs via the req.body.url parameter, enabling attackers to make unauthorized requests from the server to internal or external resources. The vulnerability has publicly available exploit code and affects the openUrl function in mcp/src/interactive-server.ts. Vendor-released patch version 2.17.1 is available.
Technical ContextAI
CloudBase-MCP is a Node.js-based microservice framework that exposes HTTP API endpoints for cloud service integration. The openUrl API endpoint in the interactive-server.ts component accepts a URL parameter from client requests without proper validation or sanitization. The underlying issue is CWE-918 (SSRF), where user-controlled input flows directly into server-side HTTP request operations, allowing attackers to bypass network segmentation and access internal resources (metadata services, private databases, admin interfaces) or perform outbound attacks from the server's network context. The vulnerability is context-agnostic to network position (AV:N) and requires no special complexity (AC:L) or user interaction (UI:N), making it trivially exploitable over HTTP/HTTPS.
RemediationAI
Upgrade TencentCloudBase CloudBase-MCP to version 2.17.1 or later immediately. The patched release is available at https://github.com/TencentCloudBase/CloudBase-MCP/releases/tag/v2.17.1 and addresses the input validation flaw in the openUrl endpoint. If immediate upgrade is not possible, implement network-level mitigations: restrict access to the open-url API endpoint (typically /open-url or similar) to trusted clients only via firewall rules or API gateway allowlisting, disable the open-url feature entirely if not actively used by disabling the interactive-server component, and isolate CloudBase-MCP instances from internal networks using network segmentation (no direct routing to metadata services, private databases, or admin interfaces). Each mitigation trades functionality for security; feature disablement is most secure but may break dependent applications.
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25978